I hope that this comment doesn’t become typical of Google’s approach to Chrome security
From an interview at Google Blogoscoped with Google group product manager Brian Rakowski:
…
There are ways to make Chrome automatically download a file without the user confirming this (at least using Chrome’s default options). Don’t you consider that a potential problem?
On its own, downloading a file isn’t dangerous. It can be annoying if a site tries to download a bunch of files to fill up your hard drive, but there are other ways to do things like that and it hasn’t become a problem. The danger arises when an automatically downloaded file can be automatically executed. We’ve taken steps to prevent this in Google Chrome and will continue to make sure that this is the case.
This answer is incredibly disingenuous.
How about this comparison? Leaving your front door open is not inherently dangerous. It’s only a problem if an attacker walks in through the open door and steals your stuff!
Is downloading a file inherently dangerous? Of course not, I do it all the time - when I want to! If Chrome can be fooled into downloading a file without the user’s permission - and it can - that means that an attacker can place malware onto your machine, and it’s up to you not to launch it. Even if it’s named Spore.exe, and has a Spore shortcut on the Start men
u linking to it. A Start menu shortcut is itself just a file. Arbitrary file downloads are inherently dangerous. You can’t say “It’s only dangerous if…” the file automatically gets executed, because it’s much easier to convince the end user to execute a file than it is to force it onto the end-user’s machine!
With decent security in place, that is.
BTW, this vulnerability calls into question the whole trust model that the comic book brags about on page 26-27, don’t you think?
